This chapter covers the iptables firewall administration program used to build a Netfilter firewall. For those of you who are familiar with or accustomed to the older ipfwadm and ipchains programs used with the IPFW technology, iptables will look very similar to those programs. However, it is much more feature-rich and flexible, and it is very different on subtle levels.

This chapter is from the book

Chapter
2, "Packet-Filtering
Concepts," covers
the
background
ideas
and
concepts
behind
a packet-filtering
firewall.
Each
built-in
rule
chain
has
its
own
default
policy.
Each
rule
can
apply
not
only
to an
individual
chain,
but
also
to a
specific
network
interface,
message
protocol
type
(such
as TCP,
UDP,
or ICMP),
and
service
port
or ICMP
message
type
number.
Individual
acceptance,
denial,
and
rejection
rules
are
defined
for
the INPUT chain
and
the OUTPUT chain,
as well
as for
the FORWARD chain,
which
you'll
learn
about
at the
end
of this
chapter
and
in Chapter
6, "Packet
Forwarding." The
next
chapter
pulls
those
ideas
together
to demonstrate
how
to build
a simple,
single-system,
custom-designed
firewall
for
your
site.

This
chapter
covers
the
iptables
firewall
administration
program
used
to build
a Netfilter
firewall.
For
those
of you
who
are
familiar
with
or accustomed
to the
older
ipfwadm
and
ipchains
programs
used
with
the
IPFW
technology,
iptables
will
look
very
similar
to those
programs.
However,
it is
much
more
feature-rich
and
flexible,
and
it is
very
different
on subtle
levels.

There
is indeed
a difference
between
iptables
and
Netfilter,
though
you'll
often
hear
the
terms
used
interchangeably.
Netfilter
is the
Linux
kernel-space
program
code
to implement
a firewall
within
the
Linux
kernel,
either
compiled
directly
into
the
kernel
or included
as a
set
of modules.
On the
other
hand,
iptables
is the
userland
program
used
for
administration
of the
Netfilter
firewall.
Throughout
this
text,
I will
refer
to iptables
as being
inclusive
of both
Netfilter
and
iptables,
unless
otherwise
noted.

Differences
Between
IPFW
and
Netfilter
Firewall
Mechanisms

Because iptables is so different from the previous ipchains, this book
won’t attempt to cover the older implementation.

The next section is written for the reader who is familiar with or is
currently using ipchains. If iptables is your first introduction to Linux
firewalling, you can skip ahead to the section "Netfilter Packet
Traversal."

If you are converting from ipchains, you’ll notice several minor
differences in the iptables syntax, most notably that the input and output
network interfaces are identified separately. iptables is highly modularized,
and the individual modules must occasionally be loaded explicitly. Logging is a
rule target rather than a command option. Connection state tracking can be
maintained. Address and Port Translation are now logically separate functions
from packet filtering. Full Source and Destination Address Translation are
implemented. Masquerading is now a term used to refer to a specialized form of
source address NAT. Port forwarding and Destination Address Translation are
supported directly without the need for third-party software support such as
ipmasqadm.

Masquerading in Earlier Versions of Linux

For those of you who are new to Linux, Network Address Translation (NAT) is
fully implemented in iptables. Before this, NAT was called masquerading in
Linux. A simple, partial implementation of Source Address Translation,
masquerading was used by site owners who had a single public IP address and who
wanted other hosts on their private network to be capable of accessing the
Internet. Outgoing packets from these internal hosts had their source address
masqueraded to that of the public, routable IP address.

The most important difference is in how packets are routed or forwarded
through the operating system, making for subtle differences in how the firewall
rule set is constructed.

For ipchains users, understanding the differences in packet traversal that
are discussed in the next two sections is very important. iptables and ipchains
look very much alike on the surface, but they are very different in practice.
It’s very easy to write syntactically correct iptables rules that have a
different effect from what a similar rule would have done in ipchains. It can be
confusing. If you already know ipchains, you must keep the differences in
mind.

IPFW Packet Traversal

Under IPFW (ipfwadm and ipchains), three built-in filter chains were used.
All packets arriving on an interface were filtered against the input chain. If
the packet was accepted, it was passed to the routing module. The routing
function determined whether the packet was to be delivered locally or forwarded
to another outgoing interface. IPFW packet flow is pictured in Figure
3.1.

If forwarded, the packet was filtered a second time against the forward
chain. If the packet was accepted, it was passed to the output chain.

Both locally generated outgoing packets and forwarded packets were passed to
the output chain. If the packet was accepted, it was sent out the interface.

Received and sent local (loopback) packets passed through two filters.
Forwarded packets passed through three filters.

The loopback path involved two chains. As shown in Figure
3.2, each loopback
packet passed through the output filter before going "out" the loopback
interface, where it was then delivered to the loopback’s input interface.
Then the input filter was applied.

Note that the loopback path demonstrates why people’s X Window session
hangs when starting a firewall script that either doesn’t allow loopback
traffic or fails before doing so when a deny by default policy is used.

In the case of response packets being demasqueraded before forwarding them on
to the LAN, the input filters were applied. Rather than passing through the
routing function, the packet was handed directly to the output filter chain.
Thus, demasqueraded incoming packets were filtered twice. Outgoing masqueraded
packets were filtered three times.

Netfilter Packet Traversal

Under Netfilter (iptables), built-in INPUT, OUTPUT, and
FORWARD filter chains are used. Incoming packets pass through the
routing function, which determines whether to deliver the packet to the local
host’s input chain or on to the forward chain. Netfilter packet flow is
pictured in Figure
3.3.

If a locally destined packet is accepted by the INPUT chain’s
rules, the packet is delivered locally. If a remotely destined packet is
accepted by the FORWARD chain’s rules, the packet is sent out the
appropriate interface.

Outgoing packets from local processes are passed to the OUTPUT
chain’s rules. If the packet is accepted, it is sent out the appropriate
interface. Thus, each packet is filtered once (except for loopback packets,
which are filtered twice).